MySQL security issue

Forum Moderators: coopster

Message Too Old, No Replies

MySQL security issue

including

rokec

4:41 pm on Feb 18, 2007 (gmt 0)

I have conn.php (file which connects to MySql). Can someone simply include that file and retrieve my database data?

jatar_k

5:46 pm on Feb 18, 2007 (gmt 0)

yes they could

normally you put those above the root so they can not be included via http

henry0

5:54 pm on Feb 18, 2007 (gmt 0)

A good solution is to set your conn script above root then point to it.

Set within each of your script something like:
require_once($_SERVER['DOCUMENT_ROOT']."/conn_db.php");

as is from anywhere in your scripts and directory you use only one URI (no needs to change any URI)

Then conn_db (set at root level) might be for ex:
require_once ("/var/www/conn/my_conn.php");
where my_conn is your db conn script

mcavic

7:09 pm on Feb 18, 2007 (gmt 0)

PHP files can't be included via HTTP, can they? The Web server would only give the output, not the source.

But other users with accounts on the server can just read the file directly, no matter where it is.

jatar_k

7:16 pm on Feb 18, 2007 (gmt 0)

yes they can be included via http
[php.net...]

If "URL fopen wrappers" are enabled in PHP (which they are in the default configuration), you can specify the file to be included using a URL (via HTTP or other supported wrapper

and they could easily use get_defined_vars() to see what they need to

rokec

8:58 pm on Feb 18, 2007 (gmt 0)

So I can include everything from everywhere? Is it possible to make all this completely secure?

henry0

9:11 pm on Feb 18, 2007 (gmt 0)

If you do as explained you will be ok
but remember we only speak about your conn-db script

The rest is up to you
like verifying that user input are really the expected values

and then using safe insert in your DB

but that's another thread and it was/is always a frequent topic :)

rokec

2:18 pm on Feb 20, 2007 (gmt 0)

If thiese things would be like that you said, people would simply include e-bank main page (since it contais mysql login information) and simply modify or delete whole base.

jatar_k

2:40 pm on Feb 20, 2007 (gmt 0)

it really is exactly as I said, you would hope they have taken precautions against that exact thing

but it doesn't mean people have.

rokec

2:42 pm on Feb 20, 2007 (gmt 0)

can you also get variables set like that?

jatar_k

3:42 pm on Feb 20, 2007 (gmt 0)

I'm not sure what you mean

set like what?

rokec

5:56 pm on Feb 20, 2007 (gmt 0)

can you steal all set variables that way?

joelgreen

6:08 pm on Feb 20, 2007 (gmt 0)

If you do it like include("http://www.somesite.com/index.php") you'll get output (parsed php code) rather than php source code of the index.php

In order to get source code one would need to include it directly (using os path). So one would only be able to see index.php source code if on the same server (i.e. just another account on shared server).

rokec

6:28 pm on Feb 20, 2007 (gmt 0)

can you get the source code of other customer on shared srever?

jatar_k

9:52 pm on Feb 20, 2007 (gmt 0)

on some hosts you can navigate right into other accounts using the shell and cat whatever you like, not uncommon at all

yes you can cross include on some hosts if they haven't taken precautions

yes you only get output from an included script but try including a file via http and then call get_defined_vars [php.net] and see what happens